Cloud Security Breaches: The Risk that Starlets and Startups Share

Written by Jodi Parker | October 14, 2014 | 9:50 pm

The recent hack of nude celebrity photos from Apple servers was another stark wake up call for users of the Internet. On Labor Day weekend, hundreds of illicit photos of some of Hollywood’s best-known celebrities were posted on a message board owned by the notorious website 4chan. Images of Jennifer Lawrence, Kate Upton and several other celebrities were stolen off the cloud and displayed for all the world to see.

The leaked images were stored on the celebs’ iPhones, which means they were backed up to Apple’s iCloud system. It was from the iCloud servers that the images were stolen, not the physical phones themselves. The hack was more than just a flagrant violation of privacy. It was a criminal invasion of computer servers. Unfortunately, the laws of the United States haven’t caught up with technology, and prosecuting acts like this can be difficult. Recently, a Florida man who broke into celebrity email accounts and posted explicit photos he found there was sentenced to ten years in prison, but he’s one of the very few people who have been successfully prosecuted for hacks like this.

How Did This Happen?

Apple stated that the photo thefts were caused by, “a targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” The hackers used a combination of public information, phishing, and social engineering to access the iCloud accounts of the targeted individuals.

Once hackers had their hands on the passwords, they used something called Elcomsoft Phone Password Breaker to get into Apple’s servers and download the image backups from the user’s iPhones. Given the amount of information that these hackers actually located throughout the process, nude photos may be just the tip of the iceberg. Vast amounts of personal data were also collected that could be used in a variety of ways, including financial fraud.

Who is at Fault for Security Breaches Like This?

Apple has taken some responsibility for the attacks, but there has also been a bit of subtle victim-blaming involved. CEO Tim Cook told the Wall Street Journal, “When I step back from this terrible scenario that happened and say what more could we have done, I think about the awareness piece. I think we have a responsibility to ratchet that up. That’s not really an engineering thing.” While they claim they could have done more to help users protect themselves, the underlying message is that users need to do more on their end to protect their own sensitive information. Information that they trust their providers to protect.

Users should be extremely careful when setting up passwords and security questions for their online accounts. Public figures should stay away from security questions and answers that can be easily found with a quick scan of a Wikipedia entry. However, Apple was not unaware of the existence of Elcomsoft’s password breaker, nor were they unaware of the ways in which hackers use it. They could have done more to both educate their customers, but they also could have done more to protect their customers from hackers.

Two-Step Authentication: Helpful, But not Foolproof

In the days following the photo hacks, the media focused heavily on something known as two-step authentication. This adds an extra layer of security to an account, and it works this way: whenever you log in to an account, an email or text message is sent to you with a verification code that you must enter before you can proceed into your account.

Two-step verification may have stopped the hacker in this case from being able to change the user’s iCloud password, but this type of verification does not work on iCloud restores. Even if there was an extra authentication step in place, the hackers could have circumvented the verification and still accessed the files.

As the owner of a Startup, you may not have nude photos on your iPhone camera roll, but you probably have personal and business information that you’d prefer to keep secure and safe from attack. It seems that we’re bombarded on a regular basis with stories of attacks on both individual and corporate data. Unfortunately, hackers seem to remain two steps ahead of those who work in the information security business.

Startups have to remain agile and nimble, and that means using the cloud. While it is inexpensive and convenient, there are risks with offsite applications and data storage. So who does it fall on to protect that information? It is up to both users and cloud providers to protect data. Multi-layer security is critical, and it is even more critical to make changes and updates to security measures to ensure that hackers stay behind the eight ball.

Some businesses have gotten so spooked by cloud attacks that they’ve taken their data offline. Unfortunately, this leaves them even more vulnerable to attack, and leaves their companies open to data disasters. Additionally, physical servers are extremely expensive and impractical for storing the vast amounts of data that companies collect for business intelligence initiatives.

Get to Know Your Cloud Provider

Most all business is moving to the cloud. Mom and Pop shops all the way through Fortune 100 companies use cloud-based software, document sharing services, and data storage warehouses. The cloud allows employees to access information from anywhere, which is critical in an era of smartphones, tablets, and telecommuting. The cloud also provides companies with almost endless amounts of data storage, reducing the costs of on-site servers.

It is important to choose cloud services based on more than just price or convenience. You must research each provider you consider, so that you understand the types of security measures they take to ensure the safety of your sensitive information. Your vendors should over multi-layer encryption and other security measures to prevent access to data.

When it comes time to choose the best way to protect your information, you must be able to evaluate that information. Just how sensitive is it, truly? You’d want to go to greater lengths to protect social security numbers and bank account information than you would a customer’s buying history or preferences. You must first define the level of privacy that your data requires, and then choose a level of security that is appropriate for that data.

It is also important to keep in mind the fact that security isn’t convenient. It may mean not allowing employees to store their passwords on their devices or use their own devices for work-related activities. While this may seem impractical, asking employees to take thirty seconds to type a password or use a work-issued tablet is far less damaging than a data breach. It is never easy to strike a balance between convenience and security, but when in doubt, always err on the side of caution. Your customers will thank you in the long run.